Respond with status 401 rather than 404 on authorization failure #14
Description
Even though oauth nukleus determines authorization for propagated BEGIN frame, it cannot currently detect the difference between receiving a RESET due to missing route vs RESET due to insufficient privileges, so RESET after BEGIN is always interpreted as status 404.
If we would prefer to respond with status 401 when RESET is due to insufficient privileges, then we need a way to indicate the cause of the RESET.
Rather than having each nukleus stream factory take responsibility for responding with RESET that indicates insufficient privileges, it would be better to move this down into the reaktor.
However, that will potentially introduce a change of contract between the reaktor and each nukleus. For example, the inbound authorization for the oauth nukleus might not align with the required authorization for any outbound route, but that fails to consider the oauth specific processing of the authorization header or access_token query parameter.
Responding with status 401 should also include the realm, so if the required authorization was exposed in the RESET, it would be necessary to lookup the realm name from the authorization bit mask.
Further analysis is needed.